Thousands of Buggy BeyondTrust Systems Remain Exposed

A remarkable number of BeyondTrust instances remain connected to the Internet, despite dire warnings Chinese state-sponsored threat actors are actively exploiting a critical vulnerability in unpatched systems.

The BeyondTrust bug, tracked under CVE-2024-12356, has an assigned CVSS score of 9.8 and affects Privileged Remote Access (PRA) and Remote Support (RS). It was first reported by BeyondTrust on Dec. 16, 2024. Three days later, the vulnerability was added to the Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities list. By the end of the month, a Chinese state-sponsored hacker group had used the flaw to break into the US Department of the Treasury and steal data.

New analysis from Censys has found that despite highly publicized evidence of a widespread advanced persistent threat (APT) campaign against unpatched systems, there are 8,602 instances of BeyondTrust PRA and RS still connected to the Internet, 72% of which are in the US. But Censys added a big caveat to the research — there is no way for them to know whether the exposed instances have been patched or not.

It is unknown what portion of these open instances remain unpatched. BeyondTrust says all self-hosted instances have been force updated, however the company did not confirm when asked if that meant these open instances were indeed patched. A sizable portion, if not all, of these systems are self-hosted BeyondTrust deployments that have been left open to the Internet, and also potentially vulnerable, experts say.

Censys has not responded to a request for clarification.

Self-Hosted BeyondTrust Deployments Likely Behind the Lag

"If this data is correct, it reflects the age-old tradeoff in software service operating philosophies and licensing models," Bugcrowd CISO Trey Ford says. "Hosted services will have scale economies supporting both detection/response efforts, as well as centralized patching and hardening."

Ford adds organizations can see a cost savings on licensing with self-hosted software-as-a-service (SaaS) models, but what they miss out on in turn is critical threat intelligence and remediation help.

"Customers own patching, hardening, and building monitoring capabilities — you're effectively operating on an island by yourself," Ford explains. "Service providers charge a slight premium to provide the patching, hardening, and monitoring — at scale — where the rising tide of operational efficiency protects all customers."

BeyondTrust cloud customers were automatically patched Dec. 16, 2024, as soon as the vulnerability was reported.

"Customers using centralized services will see prioritized, and nearly immediate, patch deployment during incident response cycles," Ford says. "The systems observed online by the Censys report with lagging patch deployment is the delay in patch discovery, testing, and patch deployment."

Self-hosted deployments that can't be patched, for whatever reason, can still protect vulnerable BeyondTrust remote tools, according to John Bambenek, cybersecurity expert and president, Bambenek Consulting.

"In situations like this, even if patching cannot be done, organizations can still limit inbound connectivity to these systems to trusted IP addresses only," he says. "Organizations know who is remotely supporting them, [so] they can easily lock down those IP addresses."